PDF malware analysis — malicious · 248cbfa1c8b62bb6

MALICIOUS

PDF

51.3 KB Created: 2020-08-07 05:06:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 95da4ed5ef8e8e80aaa7aea0fbd762d2 SHA-1: e3bd64fdc45fdd647b725d8e37ef4b296f0e6ef2 SHA-256: 248cbfa1c8b62bb61cf36c9b262e7d73379d2a06dfc163f6a59392b9f7547730

120 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded links, with one identified as a malicious redirector. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of external PDF links, suggesting a tactic to manipulate search engine results or distribute malicious content. The primary malicious URL identified is https://ttraff.com/pify?keyword=solo+guitar+playing+noad+pdf, which is likely used to redirect users to further malicious sites.

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.com/pify?keyword=solo+guitar+playing+noad+pdf
- http://files.alissahartenbaum.com/uploads/1/3/1/4/131482916/satogemimuxu_gubakumozeb.pdf
- http://files.thoughtfulduck.com/uploads/1/3/2/6/132695280/4013712.pdf
- http://files.yogawithdaba.com/uploads/1/3/1/4/131438059/xawir.pdf
- http://files.thepatriotoutpost.net/uploads/1/3/0/8/130874055/9e7473dc816c6de.pdf
- https://cdn.shopify.com/s/files/1/0431/6043/6887/files/nagoxakutuvukudepolit.pdf
- https://cdn.shopify.com/s/files/1/0430/3349/3655/files/87161985204.pdf
- https://cdn.shopify.com/s/files/1/0430/9454/0452/files/50242241048.pdf
- https://cdn.shopify.com/s/files/1/0432/6473/7433/files/wetotixebifotuvoxox.pdf
- https://cdn.shopify.com/s/files/1/0433/3964/5093/files/35872207368.pdf
- https://cdn.shopify.com/s/files/1/0430/0357/6481/files/73312261595.pdf
- https://cdn.shopify.com/s/files/1/0435/9297/4499/files/63877943982.pdf
- https://cdn.shopify.com/s/files/1/0438/4089/7189/files/mejuz.pdf
- https://cdn.shopify.com/s/files/1/0431/3251/8555/files/85621996737.pdf
- https://cdn.shopify.com/s/files/1/0429/5252/3929/files/bizenupoxipu.pdf
- https://cdn.shopify.com/s/files/1/0428/5543/2348/files/lununixazamomuriba.pdf
- https://cdn.shopify.com/s/files/1/0433/7840/9622/files/41613012737.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006d19.bin` `d0e77dac65578d6b2a115b85a89bc328124179f864042ed1c4d6462e6277e04d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6D19	5000 bytes
`font_01_sfnt_off00007e25.bin` `21ab569bc322e86dd33ecec00be934244864faa20806b34ba71b629d783686f4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7E25	17020 bytes
`font_02_sfnt_off0000afbf.bin` `4fcfa7c68d76e23b667942a3ac892d2d5d88346478daafc61479ad4df4af3dd3`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xAFBF	4324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.